Pages

Wednesday, February 29, 2012

An interesting tool for your SwissKnife.

Hi folks,

my past weeks have been quite intensive and busy, unfortunately next weeks seem to follow the same pattern... I am going to travel between conferences and meetings since early April, this could have some influence in my posting frequency. Said that, today I'd like to share a pretty nice tool pointed me out from a student of mine called mimikatz . This windows specific tool helps penetration testers in different ways, specifically it helps pen testers in finding clear text passwords of users logged on windows users and injecting libraries into processes. The author seems to be a french guy who posted examples and test-cases in french language. I am not a native french speaker so I am not going to describe every mimikatz feature (since I could merely understand the one I am going to describe), but rather I am going to describe the ones I believe to be more interesting for pen testers.

mimikatz::inject. This is the inject functionality implemented in mimikats framework. The inject parameter takes the PID and the library to inject as input parameters. The following example is injecting the kelloworld.dll into the process having PID 3256 which happens to be Microsoft Word processor.

This actually makes me reflecting on windows memory management. Since there is no the need of having plaintext passwords in LSASS, indeed it uses hashes and not plain text passwords, it means that the plain text passwords are stuck on the memory in the original input holding variable. This makes me thinking that no memory cleaners are used in windows logon. I am not sure 100%, I could be wrong but if you follows my brainstorming it could be easily this way, which actually is a quite important mistake which allows programs to read logon passwords from memory (as actually is working in this way! ).

The following example shows how to use the hashes functionality to dump SAM hashes:

You will find this interesting tool here (it happens to be a french site, but google translator does its job very well). Finally I like and I do suggest to have in your own swiss-knife this interesting tool specially if you need to inject your own DLL into specific PID getting PID's rights. Have a nice hunting !